router "plz help"

kamran shakil Mon, 14 Feb 2011 20:44:25 -0800

Dears,

I am not running GNS3. This is real-life RACK setup. My ASA version is
8.2(1) and running in single mode with "no nat-control".... In SHOW ARP , i
am getting nothing !!!


This was a techonology setup.  Can there be a VLAN issue underneath or SVI
missing or is there anything in my configs so far ?????

setup is simple
================

router 5  --------- (inside) ASA (outside) ------------- router 1


ASA
======

interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 100.100.7.10 255.255.255.0
!

interface Redundant1
 member-interface Ethernet0/0
 member-interface Ethernet0/2
 nameif outside
 security-level 0
 allow-ssc-mgmt
 ip address 100.100.6.10 255.255.255.0


access-list outside extended permit icmp any any
access-list outside extended permit tcp host 100.100.6.4 host 100.100.52.5
eq

telnet
access-list outside extended permit tcp host 100.100.51.1 host 100.100.52.5
eq

telnet
access-list outside extended permit esp host 192.168.1.1 host 192.168.5.5
access-list outside extended permit udp host 192.168.1.1 host 192.168.5.5 eq
isakmp
access-list R1-R5 extended permit ip host 100.100.51.1 host 100.100.52.5
access-list R4-R5 extended permit ip host 100.100.6.4 host 100.100.52.5
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
static (outside,inside) 100.100.3.70  access-list R1-R5
static (outside,inside) 100.100.7.31  access-list R4-R5
access-group outside in interface outside

router ospf 1
 network 100.100.6.0 255.255.255.0 area 0
 network 100.100.7.0 255.255.255.0 area 0
 log-adj-changes



R1 CONFIG
==========
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key cisco address 100.100.7.5
!
!
crypto ipsec transform-set tset esp-des esp-md5-hmac
!
crypto ipsec profile vpn
 set transform-set tset

int lo0
ip add 192.168.1.1 255.255.255.0

interface Tunnel0
 ip address 123.1.1.1 255.255.255.0
 tunnel source 100.100.6.1
 tunnel destination 100.100.7.5
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile vpn


router eigrp 199
 network 123.1.1.0 0.0.0.255
 network 192.168.1.0
 no auto-summary


R5 CONFIG
==========

crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key cisco address 100.100.6.1
!
!
crypto ipsec transform-set tset esp-des esp-md5-hmac
!
crypto ipsec profile vpn
 set transform-set tset


interface Loopback0
 ip address 192.168.5.5 255.255.255.0
!


!
interface Tunnel0
 ip address 123.1.1.5 255.255.255.0
 tunnel source 100.100.7.5
 tunnel destination 100.100.6.1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile vpn

router ospf 1
 router-id 5.5.5.5
 log-adjacency-changes
 network 100.100.7.5 0.0.0.0 area 0
 network 100.100.8.5 0.0.0.0 area 0
 network 100.100.52.5 0.0.0.0 area 0


















Upon debug cry isa  , and loggin console 7, i m getting following messages:

Rack05R5#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
100.100.6.1       100.100.7.5       MM_NO_STATE          0    0 ACTIVE

IPv6 Crypto ISAKMP SA

Rack05R5#
*Jan  5 12:11:31.912: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jan  5 12:11:31.912: ISAKMP (0:0): incrementing error counter on sa,
attempt 2 of

5: retransmit phase 1
*Jan  5 12:11:31.912: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jan  5 12:11:31.912: ISAKMP:(0): sending packet to 100.100.6.1 my_port 500

peer_port 500 (I) MM_NO_STATE
*Jan  5 12:11:31.912: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jan  5 12:11:41.900: ISAKMP: set new node 0 to QM_IDLE
*Jan  5 12:11:41.900: ISAKMP:(0):SA is still budding. Attached new ipsec
request to

it. (local 100.100.7.5, remote 100.100.6.1)
*Jan  5 12:11:41.900: ISAKMP: Error while processing SA request: Failed to

initialize SA
*Jan  5 12:11:41.904: ISAKMP: Error while processing KMI message 0, error 2.
*Jan  5 12:11:41.912: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Jan  5 12:11:41.912: ISAKMP (0:0): incrementing error counter on sa,
attempt 3 of

5: retransmit phase 1
*Jan  5 12:11:41.912: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Jan  5 12:11:41.912: ISAKMP:(0): sending packet to 100.100.6.1 my_port 500

peer_port 500 (I) MM_NO_STATE
*Jan  5 12:11:41.912: ISAKMP:(0):Sending an IKE IPv4 Packet.

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

[OSL | CCIE_Security] [Troubleshooting Issie ] router --------> asa (single mode) ----------> router "plz help"

Reply via email to